[dm-crypt] Offset/size issue during LUKS recovery.

Milan Broz gmazyland at gmail.com
Fri Jul 15 09:33:18 CEST 2016


On 07/15/2016 02:52 AM, Julio Cesar Faracco wrote:
> Hi,
> 
> Since I moved to the version 1.6.7 of cryptsetup, I started to have some problems to recovery a LUKS partition
> using a LUKS header file and a valid passphrase.
> 
> I'm following the steps bellow:
> 
> # losetup /dev/loop0 my_header_file
> # cryptsetup luksOpen /dev/loop0 my_enc_partition <<EOF
> $(PASSWORD)
> EOF
> 
> I'm getting the following output/error:
> Key slot 6 unlocked.
> Requested offset is beyond real size of device /dev/loop0.
> 
> I was checking the code and at this point cryptsetup compares the device size with the Header offset, right?
> After, that I used luksDump to check the offset and I add --debug to all commands...
> 
> # cryptsetup luksDump my_header_file --debug
> # Detected kernel Linux 3.10.0-327.13.1.el7.x86_64 x86_64.
> # Reading LUKS header of size 1024 from device /tmp/my_header_file
> # Key length 64, device size 8192 sectors, header size 4036 sectors.
> LUKS header information for /tmp/my_header_file
> Version:           1
> Cipher name:       aes
> Cipher mode:       xts-plain64
> Hash spec:         sha1
> Payload offset:    4096
> MK bits:           512
> ...
> 
> And,
> 
> When I run luksOpen, I got:
> 
> # # cryptsetup luksOpen /dev/loop0 my_enc_partition <<EOF
> $(PASSWORD)
> EOF
> # Detected kernel Linux 3.10.0-327.13.1.el7.x86_64 x86_64.
> # Reading LUKS header of size 1024 from device /tmp/my_header_file
> # Key length 64, device size 4060 sectors, header size 4036 sectors.
> # Iteration time set to 2000 miliseconds.
> # STDIN descriptor passphrase entry requested.
> ...
> Key slot 6 unlocked.
> Requested offset is beyond real size of device /dev/loop0.
> 
> Two doubts:
> - Is it right? Why does one command say that LUKS header has 8192 sectors and the other command say that it has 4060?

First, *please* do not truncate debug files... The first line should be the exact command executed.

I am little bit confused:

See:
> # Reading LUKS header of size 1024 from device /tmp/my_header_file
...
> LUKS header information for /tmp/my_header_file

but your provided command uses /dev/loop0. Something is missing there.

Did you use --header option?

Anyway, the whole problem is that for data device (/dev/loop0) system see 4060 sector size while
data offset is 4096 sectors, so it correctly prints info that device is too small.
(You can verify it with blockdev --getsz /dev/loop0.)
It looks like the loop0 is only file with header, not with the data.

There is no device size stored in LUKS header, it reads underlying device dynamically.
The only restriction is (as reported above) that device must be at least of size of "data payload offset"
(otherwise there is no space do user data).

So that said, you have loop mapped to some truncated file perhaps - this is the problem.

Milan
p.s.

the simpler way than EOF style should be is "echo $PASSWORD | cryptsetup luksOpen ..."


More information about the dm-crypt mailing list